Skip to main content
Do you build apps on Splunk or are a Splunk admin? If so, we want to hear from you. Help shape the future of Splunk and win a $35 gift card!

Take the Survey
Lantern Home
 
 
Splunk Lantern

EDI: Acknowledgement timing

  1. Last updated
  2. Save as PDF

 

This article shows you how to build a search to monitor delayed acknowledgments. This is a key performance indicator for companies that need to monitor electronic data interchange (EDI) transmission and acknowledgement.

EDI plays a critical role in ensuring that data flows seamlessly across various stakeholders—suppliers, manufacturers, logistics providers, and retailers—without manual intervention. It is a core technology for automating supply chain processes. By continuously monitoring EDI transmissions and acknowledgments, businesses can proactively identify and resolve issues, ensuring smooth communication between systems and uninterrupted supply chain operations.

KPI search example

The search measures the time it takes for a receiving system to send back a 997 functional acknowledgment after an EDI document is transmitted. The 997 confirms that the recipient successfully received and processed the transmitted document.

For monitoring the performance of EDI transactions, Acknowledgment Timing is also a crucial metric to track. Delays in acknowledgment timing can indicate several issues. One possibility is that the systems involved in exchanging EDI transactions are not performing optimally. There might be infrastructure-related problems such as network congestion or unavailability. Another important indication could be that the receiving system on the other end is unavailable.

Monitoring the time needed to receive functional acknowledgments ensures timely confirmation of received documents. Delayed 997s might signal problems with communication or processing, leading to uncertainty about whether the transmitted documents were successfully received.

To calculate acknowledgment timing, we need to incorporate additional time-related aggregations into the stats command when combining request and acknowledgment events. Using latest(_time) as time_last and earliest(_time) as time_first allows us to determine the time of the initial request and the time of the acknowledgment, respectively. With these timestamps, we can apply a formula to calculate the difference between the time of the request and the time of the acknowledgment using eval ack_time_took=time_last-time_first. Finally, by using the timechart command, we can calculate the average of ack_time_took to determine the average time taken for acknowledgment.

index=supply_chain_edi sourcetype="edi:x12" 
| eval edi_ack_status_combo=edi_code+"-"+edi_code_ack+"-"+edi_ack_status 
| eval edi_code_groupby=if(isnull(edi_code_ack), edi_code, edi_code_ack) 
| stats latest(_time) AS time_last, earliest(_time) AS time_first,first(_time) AS _time, last(edi_requestor) AS edi_requestor, last(edi_responder) AS edi_responder, first(edi_code) AS edi_type, list(edi_code) AS edi_code, last(edi_ack_status) AS edi_ack_status BY edi_tr_id edi_code_groupby
| eval ack_time_took=time_last-time_first
| timechart avg(ack_time_took) AS ack_time_took

image9.png

Use a line chart visualization to clearly show the acknowledgment times over a given period.

image12.png

The results show missing or delayed 997 acknowledgments beyond an agreed service level agreement (SLA) timeframe. This could result in halted processes, delayed shipments, or missed orders.

Next, how do we find which transactions that are above the SLA? Here is the search that applies a threshold to search for transactions with five seconds or more. Using the search command, apply ack_time_took>1000.

index=supply_chain_edi sourcetype="edi:x12" 
| eval edi_ack_status_combo=edi_code+"-"+edi_code_ack+"-"+edi_ack_status 
| eval edi_code_groupby=if(isnull(edi_code_ack), edi_code, edi_code_ack) 
| stats latest(_time) AS time_last, earliest(_time) AS time_first,first(_time) AS _time, last(edi_requestor) AS edi_requestor, last(edi_responder) AS edi_responder, first(edi_code) AS edi_type, values(edi_code) AS edi_code, last(edi_ack_status) AS edi_ack_status BY edi_tr_id edi_code_groupby
| eval ack_time_took=time_last-time_first
| search edi_ack_status=A ack_time_took>1000

image11.png

Search explanations

Splunk search Explanation
index=supply_chain_edi sourcetype="edi:x12 Select EDI X12 data by selecting sourcetype of edi:x12.
| eval edi_ack_status_combo=edi_code+"-"+edi_code_ack+"-"+edi_ack_status
| eval edi_code_groupby=if(isnull(edi_code_ack), edi_code, edi_code_ack)		 Create a new evaluated field edi_ack_status_combo that combines edi_codeedi_code_ackedi_ack_statusfield. Use another evalcommand to create edi_code_groupby field to join all EDI events with EDI 997 acknowledgment events.
| stats latest(_time) as time_last, earliest(_time) as time_first,first(_time) as _time, last(edi_requestor) as edi_requestor, last(edi_responder) as edi_responder, first(edi_code) as edi_type, values(edi_code) as edi_code, last(edi_ack_status) as edi_ack_status by edi_tr_id edi_code_groupby

Join all EDI events with EDI 997 (acknowledgment) events into a single event. A successfully joined event will have EDI edi_ack_status field that indicates there was a matching pair of EDI with EDI acknowledgment.

Events with null values in edi_ack_status means that there's no matching pair of EDI acknowledgments. Events with successfully joined EDIs have “A”, “E”, “R” flags indicating their status.

Using latest(_time) earliest(_time), calculate the times of the original EDI sent with EDI 997 (acknowledgment), so we can calculate the time to receive acknowledgment.
| eval ack_time_took=time_last-time_first Calculate ack_time_took by subtracting the latest event timestamp with the earliest timestamp.
| search edi_ack_status=A ack_time_took>1000 Apply a threshold of time to to get the acknowledgment for those EDI transactions that have successfully been accepted. This KPI is a good metric for monitoring performance EDI systems internally, as well as systems that are interacting.

Next steps

When you have this search running in your Splunk platform, return to the Monitoring electronic data interchange transmission and acknowledgement use case to learn how to share the results with stakeholders and to find other KPIs you might want to measure. You can also review the Solution Accelerator for Supply Chain Optimization for more great use cases to help you use the Splunk platform to be successful in your supply chain operations.